Security Audit Questionnaire

The Security Audit Questionnaire was designed primarily to help evaluate the security capabilities of cloud providers and third parties offering electronic discovery or managed services.

The tool is also useful as a self-checklist for organizations testing the security capabilities of their own in-house systems.

Use the questionnaire to assess an organization’s strength in protecting data from destruction or unauthorized access, as well as compliance with data-related legislation such as:

Gramm Leach Bliley Act (GLBA)

PCI DSS (Payment card industry)

Sarbanes-Oxley Act

Security breach notification laws

The tool sets out 74 separate criteria under seven categories. Use it to assign the importance or weight of each of the criteria, so that you can emphasize key criteria that are mission-critical; or, downplay the criteria that are less important to your business. EDRM produced a webinar to help you determine how best to use the tool; view it here.

[Note: The Questionnaire was updated in April 2017 to correct a missing formula and remove references to HIPAA certification. This document will continue to be updated as needed. Suggestions for further edits are welcome at EDRM@law.duke.edu.]

The EDRM Security Audit Team

A team of EDRM members representing e-discovery providers, corporate legal, and law firms convened in August 2016 to discuss security and compliance requirements and create a plan for the Security Audit Questionnaire. Amy Sellars, assistant general counsel, litigation support for Walmart Legal, and Julie Hackler, account executive at Avansic, led the team of 14 professionals with backgrounds in e-discovery, security, IT technologies, and litigation support in creating the tool. Over several months of collaborative effort, the team identified seven key security areas for audit, developed checklists and audit questions, and built and tested the questionnaire. Following is a list of the EDRM team members who participated in the project:

Except where otherwise noted, content posted at EDRM.net is licensed under a Creative Commons Attribution 3.0 Unported License. That means you are free to share, remix or make commercial use of the content so long as you provide attribution. To provide attribution, please cite to "EDRM (edrm.net)." If you have questions, contact us at mail@edrm.net.